Method and system for communications monitoring

ABSTRACT

The present invention provides for a system, and related method, for use in the monitoring of communications traffic, comprising the step of recording the said traffic and storing the recorded traffic in an encrypted data format such that the data can be decrypted only by means of keys that exhibit restricted availability.

The present invention relates to a method and system for communications monitoring and, in particular, to a method and system for use in the surveillance of communications traffic.

With the increase in commercial transactions conducted via the internet, or via a telephone call, commercial organisations have increasingly turned to recording technology to assist with monitoring the performance of their customer service employees who, quite commonly, might be located within a call centre designed specifically to handle a large number and variety of telephone enquires and transactions. It is therefore now quite common for such transactions to be monitored and prior warnings are given providing a customer with a clear indication that the conversation may be recorded for training and quality-control purposes. The recording of such transactions can also prove to be of assistance in meeting regularity requirements and enhancing the possibilities for dispute resolution.

The employment of such recording techniques has however remained very much in the commercial environment since the indiscriminate recording of, for example, telephone communications traffic in general, and including mere public communications traffic, carries with it far greater data protection and privacy issues.

Although it is known for law enforcement agencies to obtain authorisation to place wire-taps in order to monitor, for example, telephone communications involving a likely criminal source, such authorisation is granted only once particular criteria concerning the level of suspicion of the criminal source are met: which, of course somewhat disadvantageously can often prove to be after incriminating communications traffic has already been sent.

The present invention seeks to overcome such disadvantages with regard to the time-lag that can currently exist when seeking to monitor communications traffic and with regard to the likely occurrence of potentially incriminating traffic and the initiation of a monitoring/surveillance program.

According to a first aspect of the present invention, there is provided a method for use in the monitoring of communications traffic, and comprising the steps of recording the said traffic, storing the recorded traffic in an encrypted data format and such that this data can be decrypted only by means of decryption keys that exhibit restricted availability.

The method is particularly advantageous since it can allow for the recordal and encryption of all communications traffic so that potentially incriminating traffic from a later-identified criminal source has already been recorded and the restricted availability of the decryption keys can then allow for a means for accessing the potentially incriminating communications evidence in a same controlled manner as known wire-taps are currently permitted.

Preferably, the method can be implemented employing spare disk space, and/or CPU capacity within a currently existing telecommunications system. This has the particular advantage of allowing for implementation of the method at negligible additional cost.

Also, the decryption keys arranged to be issued in a secure and authorised manner can be arranged to contain encrypted search conditions serving to restrict their scope of use. For example, a “where” clause can be embedded within the decryption key so as to allow access only to those encrypted data records that match the authorised search criteria.

Further, the decryption key can contain discreet levels of authorisation for access to the encrypted data.

According to a further advantage, the decryption keys can be arranged to be used only once so as to advantageously prevent unauthorised subsequent searches through the recorded data.

Advantageously, the method includes the steps of logging all attempted accesses to the stored data. This can advantageously provide for secure and encrypted audit trail accessible only by means of specially granted keys available only to reviewing/auditing bodies rather than, for example, law enforcement agencies.

According to a further feature, the method can provide for the inclusion of tamper detection reference data.

Advantageously, the method is arranged to record all communications traffic and to likewise store all of the recorded traffic.

In particular, the method is applicable to communications traffic through a node such as a telecommunications switch, router or gateway.

Preferably, the method also includes the step of encrypting details concerning the communications traffic, which details are then also stored.

It will therefore be appreciated that the present invention can advantageously provide for a method for use in the monitoring of communications traffic as noted above and including the step of restricting the availability of the decryption keys in accordance with, in particular, legislative requirements.

According to another aspect of the present invention, there is provided a system for use in the monitoring of communications traffic and including means for recording the said traffic, means for storing the recorded traffic as encrypted data such that the data can be decrypted only by means of decryption keys that exhibits restricted availability.

The invention also preferably includes a system arranged to operate in accordance with the method steps outlined above.

The invention is described further hereinafter by way of example only, with reference to the accompanying drawing which comprises a schematic block diagram of a telecommunications monitoring system according to an embodiment of the present invention.

Turning now to the accompanying drawing, there is illustrated a telecommunications monitoring system 10 for monitoring communications traffic 12 travelling through, for example, a telecommunications switch 14. The system includes a recording device 16 that taps into the switch 14 so as to record all of the traffic passing there-through. The recorded traffic is then delivered to an encryption engine 18 which can employ any one or more of the appropriate currently available encryption schemes and in particular one or more of the 128-bit currently available encryption schemes.

The encrypted data is then delivered to the storage means 20 in which it can be stored for any appropriate amount of time, if not indefinitely, in accordance with legislative requirements. The encrypted data within the storage means 20 can be accessed and decrypted by means of decryption keys 22.

Typically, the available storage space can be recycled so as to provide a “first in first out” (FIFO) buffer of recordings which are retained for the maximum possible duration before being overwritten with more recent recordings.

However, an authorising system 24 is in place, which can be controlled by any appropriate authorising, or legislative body, such that the decryption keys 22 are only made available should specific criteria be met.

As an example, the decryption keys can be issued in a manner similar to currently existing schemes for authorising wire-taps.

The availability of so-called wire-tap warrants is currently closely controlled for example in the US by means of the Federal Communications Commission by means of the Communications Assistance for Law Enforcement Act 1994 whereas similar legislation has been introduced in the United Kingdom by means of the Regulation of Investigatory Powers Act 2000.

Such systems can advantageously allow for separate levels of authorisation such as the so-called “pen and trace” warrant or the “wire-tap” warrant controlled in the US under the above-mentioned Communication Assistance for Law Enforcement Act 1994.

Advantageously, the decryption keys can themselves contain encrypted search conditions so as to satisfactorily reduce, or eliminate, the chance of abuse and error. That is, if a warrant is issued to allow for the review of the calls only from one particular source, to one particular destination, or only calls within a particular time frame, appropriate clauses can be embedded within the decryption key so that only those encrypted records that match the quite specific criteria are made available.

Thus, as will be appreciated, and with particular reference to the enclosed drawing, the present invention provides for a particular advantageous concept in communications monitoring in which there is a no danger of important communications evidence being lost due to delays in seeking appropriate surveillance authorisation since the obtaining of such authorisation is time-shifted to a point at which the recording is made, and the granting of the authorisation relates merely to accessing a secure recording thereof.

It should be appreciated that the present invention is not restricted to the details of the foregoing embodiments. For example, the concept can be applied to any appropriate form of communication, and indeed the communication of any appropriate data and whether comprising audio, modem, fax or data network packet data such that, for example, PC terminal activity can also be monitored for subsequent review if authorised.

With regard to realisation of the concept it should be noted that telephone switch manufacturers could readily embed the capability of recording all calls in next generation switches for a few percent of the total cost of the system.

All calls could be recorded using heavy-weight encryption so as to maintain public confidence that the same controls were in place to grant access to recordings that are used today to authorise wire-tapping, i.e. decryption keys are only issued as a warrant is granted. Initially it may only be viable to retain such recordings for a few days although increasingly inexpensive storage capabilities will assist in increasing such periods.

This capability could be added to every cellular base station, every central office switch and every corporate switch.

The ability to go back through all calls made after the event by identified terrorists can have a significant effect on follow-up operations.

Whilst the concept of the wire-tapping of telephone lines is well known, the use of a PC can also be monitored.

For example, while programmers first introduced “log files” into specific applications as diagnostic aids to help them understand how someone broke their program, and from the concept of being able to note everything that happened on a PC goes back to the venerable tools like “PC Anywhere” it was a fairly small step from there to keeping a log file of everything that happened on the screen during your session.

More recently, this concept has been increasingly used in call centres to review maybe 1% of calls to see how customer service reps are using the computer system during phone calls.

Increasing amounts of business are conducted on mixed channels—with a caller on the line also looking at his browser where a staff member is highlighting terms and conditions on a competitor's web-site. Regulatory bodies have only just began to be aware of potential loop-holes in rules that insist on voice recording only. Where communication involves multiple channels it is vital that all channels are recorded together, archived together and replayable together. 

1. A method for monitoring of communications traffic, comprising: connecting a recorder to a network switch to record packet-data communication traffic received from, and passing through, the network switch; encrypting the packet-data communication traffic at an encryption engine communicatively connected to the recorder after the packet-data communication traffic has passed through the network switch to create encrypted data; storing the encrypted data in a storage device such that the encrypted data can be decrypted only by means of decryption keys that exhibit restricted availability; and providing the decryption keys having embedded encrypted search conditions therein to only provide access to encrypted data meeting criteria specified by the encrypted search conditions, wherein the criteria specify an identification of the portions of the packet-data communications traffic within the encrypted data to be decrypted.
 2. The method as claimed in claim 1 further including employment of a spare disk and/or CPU capacity within a telecommunications system.
 3. The method as claimed in claim 1, further including the step of employing separate levels of authorization for access to the stored data.
 4. The method as claimed in claim 1, further including the step of employing a decryption key that is useable only once.
 5. The method as claimed in claim 1, further including the step of logging all accesses to the stored data to an encrypted secure audit trail.
 6. The method as claimed in claim 1, further including a tamper detection reference within the encrypted data.
 7. The method as claimed in claim 1, further including the step of monitoring all the available communications traffic.
 8. The method as claimed in claim 7, wherein the step of storing the recorded traffic comprises the step of recording all of the recorded traffic.
 9. The method as claimed in claim 1, wherein the communications traffic to be recorded comprises traffic through a telecommunications switch, router or gateway.
 10. The method as claimed in claim 1, further including the step of encrypting details relating to the communications traffic and storing the said encrypted details for subsequent access.
 11. The method as claimed in claim 1, further including the step of authorizing use of the required decryption key in a restricted manner.
 12. A system for monitoring of communications traffic, comprising: a recorder that records the communications traffic, the communications traffic being received by the recorder from a network switch; an encryption engine that encrypts the communications traffic after the communications traffic has passed through the network switch to the recorder; and a storage device that stores recorded communications traffic as encrypted data, such that the encrypted data can be decrypted only by means of decryption keys that exhibit restricted availability, wherein encrypted search conditions are included within the keys that only provide access to encrypted data meeting criteria specified by the encrypted search conditions, and wherein the criteria specify an identification of the portions of the communications traffic within the encrypted data to be decrypted.
 13. The system as claimed in claim 12 further including application software that executes any one or more of the following method steps: the step of employing separate levels of authorization for access to the stored data; the step of employing a decryption key that is useable only once; the step of logging all accesses to the stored data to an encrypted secure audit trail; the step of monitoring all the available communications traffic; the step of storing the recorded traffic comprises the step of recording all of the recorded traffic; the step of encrypting details relating to the communications traffic and storing the said encrypted details for subsequent access; the step of authorizing use of the required decryption key in a restricted manner. 